claude-osint — Claude Skills tool screenshot
Claude Skills

claude-osint: Best Claude Skills for Red Teamers in 2026

8 min read·

claude-osint turns Claude into a structured external recon operator with 90+ modules, so authorized teams get repeatable OSINT tradecraft instead of ad hoc prompting.

Pricing

Open-Source

Tech Stack

Claude Skills system, Markdown SKILL.md files, Python stdlib, Bash, PowerShell

Target

authorized red-teamers, bug bounty hunters, and security researchers

Category

Claude Skills

What Is claude-osint?

claude-osint is a Claude Skills package built by ElementalSoul for authorized recon work, and it is one of the best Claude Skills tools for authorized red-teamers, bug bounty hunters, and security researchers. It ships as two paired SKILL.md files plus a small Python helper, and the repo snapshot claims 90+ recon modules, 48 secret-regex patterns, 80+ dorks, and 5,500+ lines of structured tradecraft. The point is not automation for its own sake; the point is to make Claude reason like a disciplined recon analyst instead of a generic chat model.

Quick Overview

AttributeDetails
TypeClaude Skills
Best Forauthorized red-teamers, bug bounty hunters, and security researchers
Language/StackClaude Skills system, Markdown SKILL.md files, Python stdlib, Bash, PowerShell
LicenseN/A
GitHub StarsN/A as of Feb 2026
PricingOpen-Source
Last ReleaseN/A

Who Should Use claude-osint?

  • Bug bounty hunters who need a repeatable external recon playbook that covers subdomains, Wayback pivots, dorks, secrets, and validation without rebuilding a note-taking workflow every engagement.
  • Red-team operators who want Claude to stay inside a scoped methodology while still surfacing concrete probes, regexes, curl one-liners, and escalation paths.
  • Security researchers who prefer structured tradecraft over prompt improvisation and want reusable checklists for identity, cloud, web, and email attack surfaces.
  • CTOs and security leads who need a shared recon baseline for internal training, especially when junior analysts need guardrails around time budgeting, severity scoring, and reporting.

Not ideal for:

  • Teams that want a point-and-click OSINT UI instead of a local Claude Skills workflow.
  • Analysts who need live crawl orchestration across millions of URLs; this is a methodology layer, not a full scanner.
  • Anyone without an authorized engagement scope, because the repo is explicitly oriented around offensive recon tradecraft.

Key Features of claude-osint

  • Paired methodology and arsenal skillsosint-methodology handles how to think, while offensive-osint handles what to reach for. That split keeps strategy, scoring, and deliverables separate from probes, payloads, and regexes.
  • 90+ recon modules across 12 domains — The repo covers reconnaissance, identity and SSO mapping, web application attack surface, cloud and container exposure, secret hunting, breach intelligence, email security, human intelligence, supply chain, reporting, and sector-specific pivots. That breadth matters because real engagements rarely stay in one surface.
  • Structured external recon pipeline — The methodology skill includes time-budget profiles for 1h, 4h, 1d, and 1w engagements. That gives Claude a concrete operating model for prioritizing what to check first when the window is short.
  • Secret discovery and validation workflow — The offensive skill includes a 48-pattern secret-regex catalog, package-token hunting, GitHub code-search dorks, and 9 read-only credential validators for services like AWS, GitHub, Slack, Anthropic, OpenAI, npm, Atlassian, and DataDog. This is useful because detection and validation are different problems.
  • Cloud and identity coverage — The repo includes Microsoft Entra, Okta, ADFS, Google Workspace, OIDC, SAML, AWS account-ID extraction, and container registry leak hunting. That makes claude-osint useful for modern orgs where identity and cloud metadata reveal more than the app itself.
  • Report-ready output templates — The methodology skill contains findings rubrics, severity matrices, bug-bounty templates, and client deliverable structures. That means the workflow does not stop at finding a signal; it also helps translate the signal into a report that a reviewer can act on.
  • Local helper script for secret scanningsecret_scan.py is stdlib-only and outputs JSONL, which is a practical choice for chaining into other tooling. It keeps the dependency footprint low and makes the output easy to ingest into scripts or notebooks.

claude-osint vs Alternatives

ToolBest ForKey DifferentiatorPricing
claude-osintClaude-native recon workflowsTwo skill files that teach Claude methodology plus tactical probesOpen-Source
SpiderFootBroad automated OSINT collectionMore traditional automated graphing and data collection across many sourcesFreemium
Recon-ngModular terminal-based reconShell-first framework with pluggable modules and a long operator historyOpen-Source
MaltegoLink analysis and investigative graphingVisual entity graphing and investigative pivots for analysts who want a GUIFreemium

Pick claude-osint when you want the model itself to reason through the engagement and generate operator-grade next steps. Pick OpenSwarm when you need a broader agent orchestration layer around repeated tasks, or Claude Context Mode when long investigations need tighter context discipline.

SpiderFoot is the better choice when you want automated source harvesting and a faster raw data sweep. Recon-ng is better if your team already lives in the terminal and wants a classic module runner instead of a Claude-guided skill set.

Maltego wins when the investigation needs a visual link-analysis board for stakeholder reviews or graph-heavy work. claude-osint is the better fit when the output should be a disciplined plan, a set of probes, and a structured report rather than a visual map.

How claude-osint Works

claude-osint works by packaging tradecraft into Claude Skill directories that auto-trigger when the model sees relevant recon language. Each skill is self-contained, so the runtime behavior comes from the SKILL.md instructions, the embedded checklists, and the module catalog rather than from a heavyweight external service.

The design choice here is to encode operator judgment as structured prompts, tables, rubrics, and explicit steps. That means Claude can map an asset graph, rank findings by severity, choose a time budget, and switch from passive enumeration to validation without drifting into random tool suggestions.

The offensive-osint skill also includes concrete helper assets such as regex catalogs, dork templates, read-only validators, and a Python secret scanner. For teams that want to extend the workflow, pairing claude-osint with Brainstorm MCP can help coordinate multi-step investigations, while OpenSwarm is useful when several agents need to share task state.

# getting started example
mkdir -p ~/.claude/skills
cp -R claude-osint/skills/osint-methodology ~/.claude/skills/
cp -R claude-osint/skills/offensive-osint ~/.claude/skills/
python3 claude-osint/skills/offensive-osint/scripts/secret_scan.py --help

The copy commands place the skills where Claude Code can auto-detect them, and the helper script shows the local scanning interface. After that, you trigger the skills by using recon-relevant prompts inside Claude and expect the model to answer with methodology, queries, and next actions that match the repo's structure.

Pros and Cons of claude-osint

Pros:

  • Very broad recon coverage — The repo spans web, cloud, identity, email, supply chain, breach intel, and human intelligence, so the operator does not need five separate notebooks to get through an engagement.
  • Methodology plus tactics in one package — The separation between thinking and action reduces prompt sprawl and makes it easier to audit why Claude suggested a given path.
  • Concrete artifacts — Regexes, dorks, validators, and a runnable Python helper are all practical output, not just prose.
  • Reporting support — Severity rubrics and submission templates shorten the path from discovery to a usable deliverable.
  • Low dependency footprint — The included script is stdlib-only, which lowers the friction for offline inspection and quick validation.
  • Good fit for repeatable engagements — The time-budget profiles and structured checklists make it easier to standardize team behavior across analysts.

Cons:

  • Not a full scanner — claude-osint is a skill layer, so it still depends on the operator to run external tools and collect evidence.
  • Requires Claude Skills support — If your workflow is not already inside Claude Code or a compatible skills environment, the repo is less useful.
  • Only as good as the operator's scope discipline — The content is offensive in orientation, so bad scoping or sloppy use will create noise fast.
  • No visible license in the scraped text — The repo is open-source in practice, but the scraped page did not expose a license, so compliance review is still needed.
  • Can overwhelm beginners — 90+ modules and many domains are useful for experts, but junior analysts may need a shorter starting playbook.

Getting Started with claude-osint

git clone https://github.com/elementalsouls/Claude-OSINT.git
cd Claude-OSINT
mkdir -p ~/.claude/skills
cp -R skills/osint-methodology ~/.claude/skills/
cp -R skills/offensive-osint ~/.claude/skills/
python3 skills/offensive-osint/scripts/secret_scan.py --help

After that, open Claude Code and prompt for a scoped external recon plan, a subdomain sweep, or a secret-hunting workflow. The first manual step is usually validating that your Claude environment is reading the copied skill directories, then testing a simple prompt that references authorized reconnaissance.

Verdict

claude-osint is the strongest option for Claude-native external recon when you want repeatable operator tradecraft instead of generic model suggestions. Its biggest strength is the split between methodology and tactics, and its main caveat is that it is a skills layer, not an autonomous scanner. If your team already uses Claude Code and works authorized engagements, this is worth adopting.

Frequently Asked Questions

Looking for alternatives?

Compare claude-osint with other Claude Skills tools.

See Alternatives →

Related Tools